59087 – (CVE-2004-0797) VUL-0: CVE-2004-0797: zlib: DoS in zlib 1.2

Bug 59087 (CVE-2004-0797) - VUL-0: CVE-2004-0797: zlib: DoS in zlib 1.2

Summary: VUL-0: CVE-2004-0797: zlib: DoS in zlib 1.2

Status:	RESOLVED FIXED

Alias:	CVE-2004-0797

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2004-0797: CVSS v2 Base Score: 2....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2004-08-23 17:23 UTC by Sebastian Krahmer
Modified:	2021-09-26 10:35 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Attachment which was added to the mail (6.34 KB, text/plain) 2004-08-23 17:30 UTC, Sebastian Krahmer	Details
box patchinfo for zlib and zlib-devel (510 bytes, text/plain) 2004-08-24 21:54 UTC, Sebastian Krahmer	Details
patchinfo for maintained, zlib and zlib-devel (486 bytes, text/plain) 2004-08-24 21:55 UTC, Sebastian Krahmer	Details
alternative patch (967 bytes, patch) 2004-08-25 16:35 UTC, Sebastian Krahmer	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2004-08-23 17:23:44 UTC

Date: Mon, 23 Aug 2004 07:31:24 +0200
From: Martin Schulze <joey@infodrom.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0797: Denial of service in zlib 1.2
Parts/Attachments:
   1 Shown     14 lines  Text
   2   OK     152 lines  Text
----------------------------------------

Hi,

our zlib1.2 maintainer sent the following message upstream.  This issue is
already public due to http://bugs.debian.org/252253.

This only affects zlib 1.2 - inflate() was rewritten between 1.1
and 1.2).

Regards,
 Joey

Comment 1 Sebastian Krahmer 2004-08-23 17:23:44 UTC

<!-- SBZ_reproduce  -->
Which products ship zlib 1.2?

Comment 2 Marcus Meissner 2004-08-23 17:29:14 UTC

9.1 / SLES 9. 
 
9.0 and below use 1.1.4 and less

Comment 3 Sebastian Krahmer 2004-08-23 17:30:14 UTC

Created attachment 22841 [details]
Attachment which was added to the mail

...

Comment 4 Ruediger Oertel 2004-08-23 21:55:23 UTC

patch extracted ... package building 
who will write patchinfo files (SLES9/9.1) ?

Comment 5 Sebastian Krahmer 2004-08-24 21:44:23 UTC

Hold, I will write them.

Comment 6 Sebastian Krahmer 2004-08-24 21:54:38 UTC

Created attachment 22871 [details]
box patchinfo for zlib and zlib-devel

...

Comment 7 Sebastian Krahmer 2004-08-24 21:55:05 UTC

Created attachment 22872 [details]
patchinfo for maintained, zlib and zlib-devel

...

Comment 8 Sebastian Krahmer 2004-08-25 16:32:48 UTC

Date: Wed, 25 Aug 2004 01:23:42 +0400
From: Dmitry V. Levin <ldv@altlinux.org>
To: vendor-sec@lst.de
Cc: Mark Brown <broonie@sirena.org.uk>
Subject: Re: [vendor-sec] CAN-2004-0797: Denial of service in zlib 1.2
Parts/Attachments:
   1.1 Shown    ~28 lines  Text
   1.2   OK     ~27 lines  Text
   2            196 bytes  Application
----------------------------------------

Hi,

On Mon, Aug 23, 2004 at 07:31:24AM +0200, Martin Schulze wrote:
[...]
> The source of the problem appears to be that throughout the inflate()
> function the standard way to handle a detected error is:
> 
>      strm->msg = (char *)"Error message";
>      strm->mode = BSD;
>      break;
> 
> However, while processing the CODELENS state there are a couple of cases
> where an error can be detected inside a while loop so this idiom doesn't
> exit the main processing but instead only exits the while loop.  This
> causes the code to continue into inflate_trees() and potentially crash
> on uninitialised values in the lens array[1].  The fix below replaces
> the break statement with a goto statement that does the right thing.

The fix proposed by Mark Brown does not set proper return value of
inflate() and inflateBack() functions in case of error inside loop.
Either ret variable should be set to Z_DATA_ERROR right before goto
statement, or state->mode should be tested right after loop.

Here is a patch which demonstrates second approach.

Comment 9 Sebastian Krahmer 2004-08-25 16:35:52 UTC

Created attachment 22894 [details]
alternative patch

Please see last comment.

Comment 10 Ruediger Oertel 2004-08-25 20:47:47 UTC

packages submitted to 9.1/SLES9 and stable

Comment 11 Sebastian Krahmer 2004-08-27 16:30:32 UTC

CAN-2004-0797

Comment 12 Thomas Biege 2004-09-02 22:26:56 UTC

packages approved.. .adv. will be released in a few minutes

Comment 13 Thomas Biege 2009-10-13 19:47:47 UTC

CVE-2004-0797: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)